Zero-Day Attack on Microsoft SharePoint Software

A significant zero-day attack exploiting unknown vulnerabilities in Microsoft’s SharePoint software has impacted various sectors, including government agencies, universities, and businesses worldwide.

Recent reports indicate that unidentified hackers have taken advantage of a serious flaw in SharePoint, leading to extensive attacks against U.S. and state agencies, educational institutions, energy companies, and telecommunications firms in Asia. These attacks commenced just a few days ago and are under investigation by U.S. authorities, in collaboration with counterparts in Canada and Australia.

SharePoint, a platform widely used for document management and collaboration, has tens of thousands of servers exposed to this vulnerability. Microsoft has yet to provide a patch, and affected organizations are scrambling to address the breach. The company advises users to either alter the configuration of their SharePoint server or disconnect it from the Internet temporarily. However, completely disconnecting isn’t very helpful since SharePoint facilitates file sharing and collaborative work.

Cybersecurity experts are voicing grave concerns about the scale of this attack. Adam Meyers, a senior vice president at Crowdstrike, remarked, “Every organization with a hosted SharePoint server has a problem. This is a serious vulnerability.” Similarly, Pete Renals from Unit 42 at Palo Alto Networks noted, “We’ve detected attempts to exploit thousands of SharePoint servers globally before patches have even been released. We’ve identified numerous compromised entities across both commercial and government sectors.”

The ramifications of this breach are severe, as SharePoint servers often link to essential services like Outlook and Teams. Hackers gaining access can result in sensitive data theft and password harvesting. Additionally, researchers have pointed out that attackers possess a method to retrieve entries even after vulnerabilities are patched, complicating response efforts.

The identity and motivations of the hackers remain unclear at this point. Private research organizations report that the attackers seem to be targeting Chinese servers, U.S. state legislatures in the East, and have executed over 50 breaches involving European government agencies and major U.S. energy companies.

According to researchers constrained by non-disclosure agreements, at least two federal agencies in the U.S. have experienced compromises. In one case in the Eastern U.S., attackers allegedly “hijacked” public document repositories, which prevented agencies from accessing crucial materials. Such “wiper” attacks are raising concerns among state officials about vulnerabilities and encouraging them to share information.

This breach occurred shortly after Microsoft addressed a security flaw earlier in the month, leading attackers to exploit similar vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) warned the Department of Homeland Security about the issue on Friday, prompting immediate outreach to Microsoft.

This incident follows a survey revealing that Microsoft employed Chinese engineers to support critical Pentagon systems, under the guise of U.S. employees labeled as “Digital Escorts.” In response, Microsoft has pledged to stop these practices.